W3cubDocs

/WordPress

hash_equals( string $a, string $b )

Timing attack safe string comparison

Description

Compares two strings using the same time whether they’re equal or not.

Note: It can leak the length of a string when arguments of differing length are supplied.

This function was added in PHP 5.6. However, the Hash extension may be explicitly disabled on select servers. As of PHP 7.4.0, the Hash extension is a core PHP extension and can no longer be disabled. I.e. when PHP 7.4.0 becomes the minimum requirement, this polyfill can be safely removed.

Parameters

$a

(string) (Required) Expected string.

$b

(string) (Required) Actual, user supplied, string.

Return

(bool) Whether strings are equal.

Source

File: wp-includes/compat.php

function hash_equals( $a, $b ) {
		$a_length = strlen( $a );
		if ( strlen( $b ) !== $a_length ) {
			return false;
		}
		$result = 0;

		// Do not attempt to "optimize" this.
		for ( $i = 0; $i < $a_length; $i++ ) {
			$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
		}

		return 0 === $result;
	}

Changelog

Version Description
3.9.2 Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/hash_equals